Is it time for treaties governing the use of cyber weapons?

In a New York Times op-ed piece, Misha Glenny raises some interesting arguments about the lack of any international treaties controlling the use of cyber weapons, particularly over their use in peacetime. “It is one thing to write viruses and lock them away safely for future use should circumstances dictate it,” Glenny writes. “It is quite another to deploy them in peacetime.”

Glenny, a visiting professor at the Columbia University School of International and Public Affairs, and author of “DarkMarket: Cyberthieves, Cybercops and You,” is writing in the wake of the New York Times revelation that the U.S. and Israel were, as suspected for a long time, responsible for Stuxnet, and the Washington Post report linking the U.S. to the information-gathering Flame super malware.

The danger, Glenny says, is that like Stuxnet, cyber weapons tend to get out in the wild despite the owners best efforts and can be used to create all sorts of general havoc. So, best to have treaties to impose tight restrictions on their use. We have treaties governing the use of nuclear and chemical weapons, Glenny argues, and “It is in the United States’ interest to push for one [a treaty] before the monster it has unleashed comes home to roost.” The U.S. has set a precedent that other countries possessing such weaponry will be tempted to use as a result of Stuxnet being unleashed on the centrifuges at Iran’s Natanz uranium enrichment facility.

I’m not sure that equating cyber weapons such as Stuxnet to nuclear or chemical weapons is justified. Was Stuxnet a nuke or a surgical strike? If the U.S. drops in a team of Navy Seals if diplomacy continues to fail, wouldn’t a large number, perhaps the majority of Americans say it was justified. If a hostile nation possessed a cyber weapon capable of, say, wiping out the Northeast electrical grid, a treaty would not stop them if they got to the point where they decided to deploy it.

There’s a fine line that we walk between covert operations and acts of war, between sabotage and a shooting war. The U.S. has already stated as policy that an attack on our nation’s infrastructure may be regarded as an act of war and result in conventional retaliation — i.e., bombs and bullets. That’s not control by treaty, but potentially hostile states have no doubt gotten the message. Iran could have regarded Stuxnet as an act of war, but did not.

A cyber weapons treaty could extend to industrial espionage perpetrated by nation states, such as China, which, according to Rob Lee, an expert in advanced persistent threats control and response speaking in a Security Bistro interview, does not even consider it an international misdemeanor.

Will a treaty allow the signatories to use cyber weapons against those nations who aren’t a party to it, or to nuclear and chemical weapons treaties?

There is the question of what, in fact, constitutes a cyber weapon. Surely not a covert intelligence-gathering tool such as Flame. Do we distinguish between surgical weapons such as Stuxnet and a cyber weapon of mass destruction?

Glenny raises legitimate and thought-provoking points, but my feeling is that there will be no consideration of treaties until — and if — cyber weapons raise the level of terror that nuclear missiles and chemical weapons invoke.